> ## Documentation Index
> Fetch the complete documentation index at: https://developers.fibery.com/llms.txt
> Use this file to discover all available pages before exploring further.
# OAuth
> Implement OAuth authentication for a custom integration app.
if your app provides OAuth capabilities for authentication, the authentication identifiers must be `oauth` and `oauth2` for OAuth v1 and OAuth v2, respectively. Only one authentication type per OAuth version is currently supported.
## **OAuth v1**
### **POST /oauth1/v1/authorize**
The `POST /oauth1/v1/authorize` endpoint performs obtaining request token and secret and generating of authorization url for OAuth version 1 accounts.
Included with the request is a single body parameter, `callback_uri`, which is the redirect URL that the user should be expected to be redirected to upon successful authentication with the third-party service. `callback_uri` includes query parameter `state` that MUST be preserved to be able to complete OAuth flow by Fibery.
Request body sample:
```json theme={null}
{
"callback_uri": "https://oauth-svc.fibery.io/callback?state=xxxxxxx"
}
```
Return body should include a `redirect_uri` that the user should be forwarded to in order to complete setup, `token` and `secret` are granted request token and secret by third-party service. Replies are then POST'ed to `/oauth1/v1/access_token` endpoint.
The OAuth implementation requires the account identifier to be `oauth` for OAuth version 1.
If service provider has callback url whitelisting than `https://oauth-svc.fibery.io?state=xxxxx` has to be added to the whitelist.
Response body sample:
```json theme={null}
{
"redirect_uri": "https://trello.com/1/OAuthAuthorizeToken?oauth_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&name=TrelloIntegration",
"token": "xxxx",
"secret": "xxxx"
}
```
### **POST /oauth1/v1/access\_token**
The `POST /oauth1/v1/access_token` endpoint performs the final setup and validation of OAuth version 1 accounts. Information as received from the third party upon redirection to the previously posted `callback_uri` are sent to this endpoint, with other applicable account information, for final setup. The account is then validated and, if successful, the account is returned; if there is an error, it is to be raised appropriately.
The information that is sent to endpoint includes:
* `fields.access_token` - request token granted during authorization step
* `fields.access_secret` - request secret granted during authorization step
* `fields.callback_uri` - callback uri that is used for user redirection
* `oauth_verifier` - the verification code received upon accepting on third-party service consent screen.
Request body sample:
```json theme={null}
{
"fields": {
"access_token": "xxxx",
// token value from authorize step
"access_secret": "xxxxx",
// secret value from authorize step
"callback_uri": "https://oauth-svc.fibery.io?state=xxxxx"
},
"oauth_verifier": "xxxxx"
}
```
Response can include any data that will be used to authenticate account and fetch information.
Tip: You can include parameters with `refresh_token` and `expires_on` and then on [validate step](/guides/integrations/rest-endpoints#post-/validate) proceed with access token refresh if it is expired or about to expire.
Response body sample:
```json theme={null}
{
"access_token": "xxxxxx",
"refresh_token": "xxxxxx",
"expires_on": "2020-01-01T09:53:41.000Z"
}
```
## **OAuth v2**
### **POST /oauth2/v1/authorize**
The `POST /oauth2/v1/authorize` endpoint performs the initial setup for OAuth version 2 accounts using `Authorization Code` grant type by generating `redirect_uri` based on received parameters.
Request body includes following parameters:
* `callback_uri` - is the redirect URL that the user should be expected to be redirected to upon successful authentication with the third-party service
* `state` - opaque value used by the client to maintain state between request and callback. This value should be included in `redirect_uri` to be able to complete OAuth flow by Fibery.
Request sample
```json theme={null}
{
"callback_uri": "https://oauth-svc.fibery.io",
"state": "xxxxxx"
}
```
Return body should include a `redirect_uri` that the user should be forwarded to in order to complete setup.\
Replies are then POST'ed to `/oauth2/v1/access_token` endpoint.
The OAuth implementation requires the account identifier to be `oauth2` for OAuth version 2.
If service provider has callback url whitelisting than `https://oauth-svc.fibery.io` has to be added to the whitelist.
Response example:
```json theme={null}
{
"redirect_uri": "https://accounts.google.com/o/oauth2/token?state=xxxx&scope=openid+profile+email&client_secret=xxxx&grant_type=authorization_code&redirect_uri=something&code=xxxxx&client_id=xxxxx"
}
```
### **POST /oauth2/v1/access\_token**
The `POST /oauth2/v1/access_token` endpoint performs the final setup and validation of OAuth version 2 accounts. Information as received from the third party upon redirection to the previously posted `callback_uri` are sent to this endpoint, with other applicable account information, for final setup. The account is then validated and, if successful, the account is returned; if there is an error, it is to be raised appropriately.
The information that is sent to endpoint includes:
* `fields.callback_uri` - callback uri that is used for user redirection
* `code` - the authorization code received from the authorization server during redirect on `callback_uri`
Request body sample:
```json theme={null}
{
"fields": {
"callback_uri": "https://oauth-svc.fibery.io"
},
"code": "xxxxx"
}
```
Response can include any data that will be used to authenticate account and fetch information.
Tip: You can include parameters with `refresh_token` and `expires_on` and then on [validate step](/guides/integrations/rest-endpoints#post-/validate) proceed with access token refresh if it is expired or about to expire.
Response body sample:
```json theme={null}
{
"access_token": "xxxxxx",
"refresh_token": "xxxxxx",
"expires_on": "2020-01-01T09:53:41.000Z"
}
```